Trapdoors 89 an entry point The names and locations of all entry points are saved in the executable

program file, in contrast with the names of other labels, such asB, that disappear once the program has been compiled.

In Figure 2.15b, a section of code has been appended to our program, with a new entry pointQ. This section performs some operations, calls procedureP, and stops. If Q is declared an entry point but is not documented by the programmer, then Q is a trapdoor (often also referred to as a backdoor). Anyone who knows thatQis an entry point into the program, can enter at that point, while others cannot. (This is similar to saying that anyone who knows the name of a program can execute it, or that anyone who knows a URL can surf to it.) Thus, a trapdoor is an undocumented entry point in a program. A: ARRAY 100 S: ADD .. LOD B: NEG CALL P . . STOP P: INP .. STO .. . . RET A: ARRAY 100 S: ADD .. LOD B: NEG CALL P . . STOP P: INP .. STO .. . . RET Q: INP .. CMPR .. . . CALL P STOP (a) (b)

Figure 2.15: Source Code for a Trapdoor.

A trapdoor is not necessarily bad. Trapdoors serve useful and legitimate purposes such as testing, debugging, and maintaining the program. Sometimes an entry point that was included temporarily in a program during its development phase is accidentally left. However, a trapdoor can be a powerful tool in the hands of a wrongdoer and are commonly found in viruses, worms, Trojans, and other types of malware.

In God we trust, all others we virus scan.

3

Worms

Atapewormis a parasite that lives inside the body of a bigger creature and sustains itself from its host’s resources. A software worm is a program that executes independently of other programs, replicates itself, and spreads through a network from computer to computer. A worm is a type of rogue software that resides in a host computer, but it is not a virus because it is not embedded in a host program. A

worm propagates from host to host by exploiting a security hole or a vulnerability discovered by its creator. Section 3.4 shows how the Internet worm exploited security weaknesses in the finger and sendmailUNIX utilities. Section 2.11 describes a vulnerability in a decoder for jpeg images.

It seems that the idea of a software worm was first proposed by John Brunner in his novel The Shockwave Rider, where these programs are referred to as tapeworms. Inspired by this story, researchers at the Xerox Palo Alto Research Center (PARC) tried to implement and experiment with programs that propagated from computer to computer and perform useful tasks. They reported on their results in 1982 [Shoch and Hupp 82] and it took until 1988 for the first widely-spread worm to appear and create havoc. In the years since that attack, this particular malicious software became known as the Internet worm. It is a classic example of a worm and is described in Section 3.4. The discussion here follows the work, ideas, and recommendations of [Staniford et al. 02]. It examines the mechanisms used by known worms, and considers ways to create worms that are extremely sophisticated and dangerous because they can spread and embed themselves in a matter of hours or even minutes in millions of computers and remain a threat for months. An important part of the discussion concentrates on worm communications. We list several reasons for why a worm’s author should be able to command the worm during its spread (i.e., send commands, signals, or even

92 3 Worms

executable code to the large number of copies of the worm). Techniques for doing that are also presented. Finally, we present the idea of an international cyber center for disease control (CCDC) dedicated to the unending war against worms and other types of rogue software.

The main feature of worms, a feature that distinguishes them from viruses and Trojan horses is their speed of propagation. A virus propagates when users send email, launch programs, or carry disks between computers. A worm propagates itself through- out the Internet by exploiting security weaknesses in applications and protocols we all use. Thus, a perpetrator interested in deep penetration of the Internet may try to imple- ment a sophisticated worm. Because of this attribute, future worms may pose a threat to the Internet, to E-commerce, and to computer communications and this threat may be much greater and much more dangerous than that posed by other types of rogue software. A worm that has infected several million computers on the Internet may have the potential for a global catastrophe. Here are just three possible scenarios:

Such a worm could launch vast DoS attacks that are out of the reach of current pro- tection technologies. Such powerful attacks can bring down not only E-commerce sites, but sensitive military sites or the root domain name servers of the Internet. Such an at- tack may be an ideal tool in the hands of terrorists or may be perpetrated intentionally by a rogue nation to serve as a prelude to a large-scale war.

It is well known that rogue software often searches for sensitive information such as passwords and credit card numbers, but a wide-spread worm may blindly search for any kind of information based on a set of keywords. This type of a “needle in a haystack” search is inefficient, but with millions of worms searching simultaneously, it may produce quick results.

A well-known adage says “you can’t fool all the people all the time,” but when the same false message arrives from millions of computers it may fool all the people some of the time. A wide-spread worm may cause much confusion and disrupt the lives of many by sending misinformation from millions of computers or just by making public the sensitive data it had discovered.

It’s easy to come up with other, no less frightening “applications” of a global worm, because we depend on the Internet more and more, and not just we as individuals, but the infrastructure of entire nations. Past experience with fast-spreading worms should serve as a warning to what the future may have in store for us in this corner of the discipline of computer security.

In general, the speed of a worm’s spread is dictated by the efficiency of finding new targets. Apart from optimizing the scanning code, a couple of minor variations in scan sequence can result in significant improvements in speed.

—Stuart Staniford, Vern Paxson, and Nicholas C. Weaver,

3.1 Code Red I

Among the many software products produced and marketed by Microsoft Inc. there is a Web server known as the Microsoft internet information services (or IIS, see [IIS 04]). In June 2001, a vulnerability that exposed IIS to attack because of a remote buffer overflow was discovered and published in [CVE 01]. Just one month later, in July 2001, a new worm, designated Code-Red (later Code Red I or CRv1) appeared and started spreading by exploiting this weakness.

Once Code-Red has infected a host computer, it spread by generating 99 random IP addresses and trying to infect any IIS servers found at these locations by exploiting the same vulnerability. In some cases, another random IP was generated and the worm tried to deface the Web site (if any) at that address.

The first version of this worm had a serious bug. It always used the same seed for the pseudo-random numbers it generated. This meant that all the copies of the worm generated the same random numbers and tried to infect the same computers. The anonymous perpetrator has also noticed this error and has quickly come up with a second version that became known as Code Red I v2 or CRv2 (not to be confused with Code Red II). This was identical to the first version, with three differences (1) the bug in the random number generator had been corrected, (2) the new worm did not deface any Web sites, and (3) it targeted the White House Web site (http://www.whitehouse.gov) for a DoS attack.

In just a few days, this second version had spread to virtually all the computers running Microsoft IIS servers. It then turned itself off intentionally and later started resurfacing once a month.

The worm propagation analysis presented here follows the mathematical model de- veloped in [Staniford et al. 02]. The model makes some simplifying assumptions. It assumes that the worm behaves perfectly, in particular that its random number genera- tor generates good pseudo-random numbers. It also assumes that there are_N computers running IIS on the Internet, and that this is the maximum number of computers that can be infected. (In reality, some of those computers will have installed security patches before being attacked or may be off when the worm tried to attack them.) The initial infection rate (the number of vulnerable computers the worm can find and infect in one time unit at the beginning of its operations, when relatively few computers had been infected) is denoted by _K and is assumed to be constant (in reality _K varies because data packets sent by the worm take different times to arrive at their targets and be- cause potential victims have different speeds). The time when the attack has started (day, hour, and minute) is denoted by _T, and the current time is the variable _t. The important quantity is the percentage of vulnerable computers that have been infected at time_t. This is denoted by_a(_t)

At time _t, the percentage of computers that have been infected (out of the _N available hosts) is _a(_t). In the next time interval _dt, the number of machines_{N da}(_t) that will be infected is given by

N da(_t) = [_{N a}(_t)]_K[1−_a(_t)]_dt. (3.1) This is because the number of computers infected in the next_dtseconds is the product

94 3 Worms

of (1) the number _{N da}(_t) of infected hosts, (2) the number _K[1−_a(_t)] of computers each of those infected hosts can infect in a unit time, and (3) the time interval_dt.

Equation (3.1) yields the differential equation

da(_t)

dt =Ka(t)[1−a(t)],

that no longer depends on_N and whose solution is

a(_t) = e

K(t−T)

1 +_eK(t−T), (3.2)

where_T is the constant of integration. Equation (3.2) is well known from the study of the growth of epidemics. It is easy to see that when the worm starts (i.e., when_t=_T), the equation yields _a(_T) = 1_/2. Later, as _t grows, the difference _t−_T is positive, so

eK(t−T) _{grows without limit, causing}

a(_t) to approach the value 1. Recall that _a(_t) is the percentage of computers infected at time _t. Thus, Equation (3.2) implies that this percentage approaches 1, regardless of the number _N of potential victims, and depending only on the initial infection rate_K.

The conclusion from this simple analysis is that a well-debugged worm that operates like Code-Red can infect virtually every vulnerable computer on the Internet within a reasonably short time period provided that_K is large enough. Fitting the number of computers infected by the first wave of CRv2 to Equation (3.2) shows that this worm had an initial infection rate_K of about 1.8 per hour. Its second wave of activity had a smaller rate of about 0.7.

Following the success of Code Red I, A similar worm, designated Code Red II (after a string found in a comment inside the worm) appeared in early August 2001 [Code Red II 01]. It was a rewritten version of Code Red I and exploited the same IIS vulnerability. Once infecting a computer, Code Red II installed a backdoor allowing its controller unrestricted access to the infected computer. Evidently, the worm had been tested by its creator only on Windows 2000, because when it infected computers running IIS under Windows NT, it crashed the operating system.

Like its predecessor, Code Red II generated pseudo-random IP numbers, but these were not uniformly distributed. A random IP number was generated with probability 1_/2 from its own class A, with probability 3_/8 from class B, and with probability 1_/8 from the entire IP address space. This type of localized spreading makes sense for a worm, because computers with IP addresses close to address_Xtend to be geographically close to the computer whose IP is_X. Often, such computers are part of the same local area network, and it has been noticed that the worm spread rapidly within such a network, once it has infected one computer in it.

The nimda worm (nimda is the reverse of admin) first appeared in mid September 2001 and was likely written by the same person responsible for the two Code Red versions. Nimda was a multi-vector (or a multi-mode) worm because it tried to spread itself in several ways. This approach to worm propagation has proved useful and nimda spread quickly and extensively even behind firewalls. It remained as a menace on the Internet for months. Nimda spread in several ways as follows:

The main technique for nimda propagation is by exploiting the IIS vulnerability. Nimda also searches address books in an infected computer and emails itself to all the addresses found there.

It copies itself across open network shares.

It installs code on Web sites in infected computers such that anyone browsing the site gets infected.

It scans for the backdoors left by Code Red II and the sadmind worms. This is why it’s likely that all three were implemented by the same person.

At the Lawrence Berkeley National Laboratory, special software was used to count the frequency of nimda trying to connect to computers on that site from many infected computers. The counts of nimda probes rose in 30 minutes from zero to nearly 100 per second.